Whats the difference between a transform set and a security association? I understand that in the transform set you have to state AH or ESP, but why do you also have to choose a HMAC and an ecryption algorithm? Didnt we just configure that with isakmp? Also what is the point in selecting an encryption algorithm in isakmp if were using AH?

ISAKMP = udp port 500 and IPSEC can use IP protocol number 50 and/or 51 (ESP and AH). ISAKMP and IPSEC are two different protcols and confidentiality and integrity are set on each protocol. ISAKMP uses a bidirectional SA and IPSEC uses unidirectional SA.

controlyourdog wrote:Also what is the point in selecting an encryption algorithm in isakmp if were using AH?

The encryption alg in isakmp has nothing to do with IPSEC.

_______________________________________________________________________There are 10 types of people in the world. Those who understand binary and those who don't.

controlyourdog wrote:Whats the difference between a transform set and a security association?

A transform set is a generic combination of a hash and encryption algorithm used to encrypt phase two (I will get to that later) data. A transform set simply identifies which hash and encryption algorithm you want to use, it can be reused however many times you like for multiple tunnels.

controlyourdog wrote:I understand that in the transform set you have to state AH or ESP, but why do you also have to choose a HMAC and an ecryption algorithm? Didnt we just configure that with isakmp?

As the previous poster mentioned, IPsec and IKE are different things, corresponding to one of two phases in the entire suite. Phase one is used to initiate the tunnel, it creates a low-level tunnel over which the phase two tunnel can be established, it's what ISAKMP parameters control. Phase two is the high-level tunnel over which actual application data is sent, it is initiated over the phase one tunnel, it's what the crypto map parameters control.

controlyourdog wrote:Also what is the point in selecting an encryption algorithm in isakmp if were using AH?

If you actually do need to, it's probably just an artifact of older configuration parameters. AH is used almost nowhere these days and most platforms are tailored for ESP configuration rather than AH.